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INSPECTOR  GENERAL 

DEPARTMENT  OF  DEFENSE 
400  ARMY  NAVY  DRIVE 
ARLINGTON,  VIRGINIA  22202-4704 


August  3,  2001 

MEMORANDUM  FOR  DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING 

SERVICE 

SUBJECT :  Audit  Report  on  Defense  Joint  Military  Pay  System  Security  Functions  at 
Defense  Finance  and  Accounting  Service  Denver  (Report  No.  D-2001-166) 


We  are  providing  this  report  for  review  and  comment.  We  conducted  the  audit 
to  follow  up  on  prior  Defense  Joint  Military  Pay  System  audits  related  to  security 
functions  performed  at  Defense  Finance  and  Accounting  Service  Denver  and  evaluate 
related  security  controls.  We  considered  management  comments  on  a  draft  of  this 
report  when  preparing  the  final  report. 

Management  comments  from  the  Director  for  Accounting,  Defense  Finance  and 
Accounting  Service,  were  not  fully  responsive.  DoD  Directive  7650.3  requires  that  all 
recommendations  be  resolved  promptly.  Therefore,  we  request  that  the  Defense 
Finance  and  Accounting  Service  reconsider  its  position  on  Recommendations  3.b.,  3.c., 
and  3.d.  Based  on  management’s  comments,  we  revised  one  aspect  of  our  finding  and 
the  related  Recommendation  l.a.(l).  Additional  comments  are  requested  on  revised 
Recommendation  l.a.(l)  and  the  related  Recommendation  l.b.  Management  comments 
should  be  provided  by  August  27,  2001.  Specific  requirements  for  the  comments  are 
provided  in  the  Recommendation  section  of  the  Finding. 

We  appreciate  the  courtesies  extended  to  the  audit  staff.  For  additional 
information  on  this  report,  please  contact  Mr.  Brian  Flynn  at  (703)  604-9489 
(DSN  664-9489)  (bflynn@dodig.osd.mil)  or  Mr.  W.  Andy  Cooley  at  (303)  676-7393 
(DSN  926-7393)  (wcooley@dodig.osd.mil).  See  Appendix  D  for  the  report 
distribution.  The  audit  team  members  are  listed  inside  the  back  cover. 


Thomas  F.  Gimble 
Acting 

Deputy  Assistant  Inspector  General 
for  Auditing 


Office  of  the  Inspector  General,  DoD 


Report  No.  D-2001-166  August  3,  2001 

(Project  No.  D2000FG-0052.001) 

(Formerly  OFG-21 19.01) 


Defense  Joint  Military  Pay  System  Security  Functions 
at  Defense  Finance  and  Accounting  Service  Denver 


Executive  Summary 


Introduction.  The  Defense  Joint  Military  Pay  System  paid  $19.9  billion  in  FY  2000  to 
Air  Foree  members.  This  audit  foeused  on  eomputer  seeurity  issues  that  are  the  responsibility 
of  organizations  loeated  at  Defense  Finanee  and  Aeeounting  Serviee  Denver.  Those  seeurity 
issues  were  reported  in  two  Inspeetor  General,  DoD,  reports. 

•  Report  No.  96-175,  “Computer  Seeurity  Over  the  Defense  Joint  Military  Pay 
System,”  June  25,  1996. 

•  Report  No.  97-203,  “Applieation  Controls  Over  the  Defense  Joint  Military 
Pay  System  Reserve  Component,”  August  13,  1997. 

This  audit  supplements  Inspeetor  General,  DoD,  Report  No.  D-2001-052,  “Controls  Over  the 
Defense  Joint  Military  Pay  System,”  February  15,  2001,  whieh  foeused  on  the  payroll 
system’s  overall  general  eontrols. 

Objectives.  Our  audit  objeetive  was  to  determine  whether  adequate  eorreetive  aetions  were 
taken  in  response  to  prior  audits  of  Defense  Joint  Military  Pay  System  seeurity  funetions 
performed  at  Defense  Finanee  and  Aeeounting  Serviee  Denver  and  evaluate  related  seeurity 
eontrols.  Speeifieally,  we  determined  whether  management  adequately  responded  to 
reeommendations  made  in  Inspeetor  General,  DoD,  Reports  No.  97-203  and  96-175  related  to 
system  seeurity  funetions  performed  at  Denver,  Colorado.  The  review  of  the  management 
eontrol  program,  as  it  related  to  the  overall  objeetive,  is  reported  in  Inspeetor  General,  DoD, 
Report  No.  D-2001-052. 

Results.  Many  positive  steps  were  taken  by  management  to  implement  prior  audit 
reeommendations  and  otherwise  improve  the  seeurity  posture  of  the  payroll  system.  For 
example,  the  payroll  system  manager  established  a  more  independent  seeurity  strueture  over 
the  payroll  system  and  quiekly  eorreeted  many  of  the  seeurity  weaknesses  identified  by  this 
audit.  However,  additional  improvements  are  required  in  the  system’s  seeurity  to  fully 
implement  prior  audit  reeommendations  and  eorreet  additional  problems  identified  by  this 
audit.  Several  repeat  findings  were  identified.  Information  system  seeurity  offieers  for  the 
payroll  system’s  Air  Foree-unique  resourees  did  not  have  the  independenee  required  to 
effeetively  eontrol  seeurity  over  the  military  payroll  applieation.  Inadequate  eontrols  existed 
over  user  aeeess  to  sensitive  profiles,  owned  transaetions,  datasets,  and  Customer  Information 
Control  System  regions.  Requirements  for  eritieal-sensitive  ratings  for  personnel  given  aeeess 


to  payroll  system  resources  were  not  met.  In  addition,  we  identified  two  previously 
unreported  security  problems.  Access  to  critical-sensitive  Defense  Joint  Military  Pay  System 
resources  was  not  properly  documented  or  controlled.  Information  system  security  officers 
for  the  payroll  system’s  Air  Force-unique  resources  did  not  adequately  monitor  inactive  user 
identifications.  As  a  result,  the  Defense  Finance  and  Accounting  Service  did  not  have 
adequate  safeguards  to  limit  the  risks  of  potential  erroneous  payments  and  unauthorized 
changes  to  pay  data  and  system  resources.  Although  no  fraud  or  abuse  was  detected, 
management  identified  and  corrected  more  than  $152,000  in  erroneous  payments  made  in 
one  instance  because  of  improper  system  access  and  the  lack  of  separation  between  conflicting 
duties.  For  details  of  the  audit  results,  see  the  Finding  section  of  the  report. 

Summary  of  Recommendations.  We  recommend  that  the  Defense  Finance  and  Accounting 
Service  revise  an  internal  regulation  and  agreement  to  specify  a  chain  of  command 
independent  from  the  operational  elements  of  the  payroll  system  and  provide  minimum 
training  requirements  for  Information  System  Security  Officers.  We  recommend 
improvements  in  internal  controls  over  user  access  to  the  payroll  system,  including  individual 
responsibilities  for  requesting,  monitoring,  and  verifying  user  access.  We  recommend  that 
core  security  vacancies  not  be  filled  until  position  descriptions  with  correct  sensitivity  ratings 
are  in  place. 

Management  Comments.  The  Defense  Finance  and  Accounting  Service  concurred  in  all  but 
three  recommendations.  Management  nonconcurred  with  revising  an  internal  regulation  to 
clarify  the  chain  of  command  for  security  officers,  stating  that  a  prior  mediation  agreement 
had  resolved  that  issue.  Management  nonconcurred  in  providing  training  on  individual 
responsibilities  for  requesting  and  monitoring  user  access  to  Air  Force  computer  resources 
because  of  other  training  already  provided  and  recent  revisions  to  internal  guidance  on 
requesting  and  monitoring  access.  Management  nonconcurred  in  requiring  supervisors  to 
annually  attest  to  compliance  with  DoD  security  regulations  related  to  critical-sensitive  access 
to  Air  Force  computer  resources,  stating  that  supervisors  and  human  resources  review 
position  sensitivity  ratings  and  individual  qualifications.  A  discussion  of  management 
comments  is  in  the  Finding  section  of  the  report,  and  the  complete  text  is  in  the  Management 
Comments  section. 

Audit  Response.  The  Defense  Finance  and  Accounting  Service  comments  are  fully 
responsive,  except  on  Recommendations  l.a.(l).,  3.b.,  3.c.,  and  3.d.  Management 
comments  concurring  in  Recommendation  3.c.  did  not  fully  address  the  required  corrective 
actions  in  reviewing  and  validating  user  access  to  access  requests.  In  nonconcurring  on  three 
recommendations,  management  comments  were  nonresponsive.  The  previous  mediation 
agreement  cited  by  management  did  not  relate  to  Recommendation  l.a.(l)  made  on  defining 
the  chain  of  command  for  security  officers.  However,  we  revised  that  recommendation  and 
the  related  finding  discussion  to  reiterate  a  prior  audit  recommendation  and  request  additional 
comments  on  that  revised  recommendation  and  a  related  recommendation.  The  alternative 
training  and  procedural  changes  proposed  to  Recommendation  3.b.  are  not  an  adequate 
substitute  for  the  recommended  training.  Also,  in  nonconcurring  in  the  annual  attestations 
suggested  by  Recommendation  3.d.,  management  focused  on  initial  hiring  controls  but  did  not 
consider  instances  where  employees  are  transferred  to  critical-sensitive  positions  for  which  no 
approved  position  description  exist.  We  request  the  DFAS  reconsider  its  position  and  provide 
additional  comments  to  the  final  report  by  August  27,  2001. 


Table  of  Contents 


Executive  Summary  i 

Introduction 

Background  1 

Objectives  2 

Finding 

Seeurity  Controls  for  the  Defense  Joint  Military  Pay  System  3 

Appendixes 

A.  Audit  Proeess 

Seope  16 

Methodology  17 

B.  Prior  Coverage  18 

C.  File  Transfer  Protoeol  24 

D.  Report  Distribution  25 

Management  Comments 


Defense  Finanee  and  Aeeounting  Serviee 


27 


Background 


System  Overview.  The  Defense  Joint  Military  Pay  System  (DIMS)  pays  active 
duty,  Reserve,  and  National  Guard  personnel,  and  military  academy  members  of 
the  Army,  Navy,  and  Air  Force.  In  FY  2000,  the  payroll  system  paid 
$19.9  billion  to  Air  Force  members.  Aside  from  protecting  the  integrity  of 
payroll  records,  guarding  access  to  DIMS  is  important  because  of  the  need  to 
protect  the  privacy  of  home  addresses  and  other  information  maintained  in  the 
master  military  pay  records  of  key  military  members. 

Audit  Focus.  This  audit  focused  only  on  the  following  three  Defense  Finance 
and  Accounting  Service  (DFAS)  organizations  at  Denver,  Colorado. 

•  Directorate  for  DIMS  Centralized  Systems  Management,  Military 
and  Civilian  Pay  Services  Denver. 

•  Directorate  for  Military  Pay— Air  Force,  Military  and  Civilian  Pay 
Services  Denver  (formerly  the  Directorate  for  Military  Pay,  DFAS 
Denver  Center). 

•  Directorate  for  Technology  Services,  Support  Services  Denver 
(formerly  the  Directorate  for  Software  Engineering— Military  Pay, 
DFAS  Financial  Systems  Organization). 

This  audit  supplements  Inspector  General,  DoD,  Report  No.  D-2001-052, 
“Controls  Over  the  Defense  Joint  Military  Pay  System,”  February  15,  2001, 
which  focused  on  the  payroll  system’s  overall  general  controls. 

Security  Administration.  Before  February  2000,  the  Director  for  Military 
Pay— Air  Force,  the  functional  application  manager,  was  responsible  for  the 
computer  security  for  the  DJMS  core  software^  that  supports  DJMS  as  a  whole. 
Air  Force-unique  software,  and  pay  data  for  Air  Force  members.  In 
February  2000,  the  Director  for  DJMS  Centralized  Systems  Management  (the 
DJMS  System  Manager)  assumed  responsibility  for  computer  security  over 
DJMS  core  resources. 

The  authority  to  implement  and  enforce  security  may  be  delegated  to  several 
types  of  security  positions  with  different  authority,  such  as  an  information 
system  security  officers  (ISSOs)  or  subordinate  Terminal  Area  Security 
Officers. 


•  An  ISSO  is  responsible  for  verifying  that  security  is  provided  and 
implemented  for  the  information  system,  to  include  restricting  the  use 
of  the  computer  system  resources  to  authorized  individuals  and 
limiting  those  individuals  to  using  only  the  resources  required  to  do 
their  jobs. 


‘DJMS  core  software  resources  are  defined  as  those  application  resources  that  affect  DJMS  processing 
regardless  of  where  the  application  resides  or  who  the  application  is  servicing. 


1 


•  A  Terminal  Access  Security  Officer  is  responsible  for  verifying  that 
security  is  provided  for  terminals  and  users  in  their  designated  area. 

Three  ISSOs  were  responsible  for  DIMS  Air  Force-unique  security  while 
five  individuals  (including  one  ISSO)  were  responsible  for  security  for  DIMS 
core  resources.  The  eight  individuals  are  collectively  referred  to  in  this  report 
as  the  DIMS  Security  Administrators. 

Objectives 


The  overall  objective  was  to  determine  the  adequacy  of  management’s  corrective 
actions  taken  in  response  to  prior  audits  of  DIMS  security  functions  at  DFAS 
Denver  and  evaluate  related  security  controls.  Specifically,  we  determined 
whether  DFAS  management  adequately  responded  to  recommendations  made  in 
the  following  two  Inspector  General,  DoD,  reports  related  to  system  security 
functions  performed  at  Denver,  Colorado. 

•  Report  No.  96-175,  “Computer  Security  Over  the  Defense  Joint 
Military  Pay  System,”  June  25,  1996. 

•  Report  No.  97-203,  “Application  Controls  Over  the  Defense  Joint 
Military  Pay  System  Reserve  Component,”  August  13,  1997. 

The  review  of  the  management  control  program,  as  it  related  to  the  overall 
objective,  is  reported  in  Inspector  General,  DoD,  Report  No.  D-2001-052. 
Appendix  A  discusses  the  audit  scope  and  methodology.  Appendix  B  lists  prior 
audits  related  to  the  audit  objectives  and  gives  details  on  the  recommendations 
followed  up  by  this  audit.  Appendix  C  discusses  actions  taken  by  DFAS  and 
Defense  Information  Systems  Agency  (DISA)  to  improve  the  controls  over  a  file 
transfer  protocol  used  by  the  payroll  system. 
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Security  Controls  for  the  Defense  Joint 
Military  Pay  System 

Many  positive  steps  were  taken  by  management  to  implement  prior  audit 
reeommendations  and  otherwise  improve  the  seeurity  posture  of  the 
payroll  system.  However,  improvements  are  required  in  DIMS  seeurity 
to  fully  implement  prior  audit  recommendations  and  correct  internal 
control  problems  identified  by  this  audit.  Adequate  corrective  actions 
were  not  undertaken  for  the  following  previously  reported  conditions. 

•  The  ISSOs  for  DIMS  Air  Force-unique  resources  did  not  have 
the  independence  needed  to  effectively  control  DIMS  security 
because  the  DFAS  information  security  regulation  did  not  create 
a  security  structure  that  defined  the  chain  of  command  for  ISSOs 
to  preclude  their  reporting  to  the  operational  elements  over  which 
they  enforced  computer  security. 

•  User  access  to  sensitive  DIMS  datasets,  profiles,  and  owned 
transactions^  (OTRANs)  was  not  adequately  controlled.  Most  of 
the  DIMS  Security  Administrators  lacked  the  required  technical 
expertise  and  training. 

•  Users’  supervisors  and  DIMS  Security  Administrators  did  not 
meet  requirements  for  critical-sensitive  ratings  for  employees  and 
contractors  given  access  to  DIMS  resources.  Users’  supervisors 
circumvented  internal  controls  or  did  not  request  required 
security  waivers,  and  DIMS  Security  Administrators  were  not 
adequately  trained  in  their  responsibilities. 

In  addition  to  those  repeat  findings,  we  also  identified  two  other  DIMS 
security  problems. 

•  User  access  requests  for  access  to  critical-sensitive  DIMS 
resources  were  not  properly  documented  or  controlled  by  users’ 
supervisors  and  the  ISSOs  for  DIMS  Air  Force-unique  resources 
because  they  lacked  appropriate  training. 

•  The  ISSOs  for  the  DIMS  Air  Force-unique  resources  did  not 
monitor  inactive  user  identifications  (IDs)  to  ensure  that  a 
continuing  need  for  access  existed  because  they  lacked  the 
required  technical  expertise  and  training. 

As  a  result,  DFAS  did  not  have  adequate  safeguards  to  limit  the  risks  of 
potential  erroneous  payments  and  unauthorized  changes  to  pay  data  and 
systems  resources. 


^The  OTRANs  are  critical  transactions,  access  to  which  are  controlled  by  Computer  Associates 
International,  Inc.,  TOP  SECRET  security  software.  Eor  example,  an  OTRAN  may  allow  users  to 
perform  on-line  deletions  and  inputs. 
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ISSO  Independence 


Prior  Audit.  Inspector  General,  DoD,  Report  No.  96-175  stated  that  ISSOs 
responsible  for  DIMS  core  and  Air  Force-unique  resources  did  not  have  the 
level  of  authority  to  effectively  control  DIMS  security.  The  ISSOs  reported 
two  levels  of  management  below  the  Director  for  Military  Pay— Air  Force.  The 
prior  audit  recommended  that  the  director  realign  the  directorate  so  that  the 
ISSOs  reported  directly  to  the  director  (Recommendation  C.3.a.).  DFAS 
concurred  in  principle  in  the  recommendation  made  in  the  final  report  but  did 
not  plan  to  realign  the  ISSO  reporting  structure  because  of  their  interpretation  of 
DoD  Directive  5200.28,  “Security  Responsibilities  for  Automated  Information 
Systems  (AIS),”  March  21,  1988.  The  Inspector  General,  DoD,  and  DFAS 
mediated  the  issue,  and  a  mediation  agreement  was  signed  on  December  24, 

1996.  The  agreement  required  DFAS  to  address  the  audit  concerns  in  a  pending 
internal  DIMS  memorandum  of  agreement.  However,  neither  the  April  8, 

1997,  version  nor  the  June  15,  2000,  revision  to  the  DIMS  memorandum  of 
agreement  specified  where  the  DIMS  ISSOs  would  be  aligned  within  their  chain 
of  command.  The  prior  recommendation  was  superceded  by  recommendations 
made  in  a  subsequent  audit. 

Related  Audit.  The  organizational  placement  of  the  DIMS  ISSOs  and  other 
DFAS  ISSOs  was  questioned  in  Inspector  General,  DoD,  Report  No.  99-107, 
“Computer  Security  for  the  Defense  Civilian  Pay  System,”  March  16,  1999. 

To  provide  ISSOs  with  the  level  of  authority  and  independence  necessary  to 
protect  application  data,  that  report  recommended  that  DFAS  revise  DFAS 
Regulation  8000. 1-R  to; 

•  define  the  operational  elements  of  each  automated  information  system 
over  which  security  requirements  must  be  enforced 
(Recommendation  l.b.(2)),  and 

•  create  a  security  structure  within  DFAS  that  defines  the  chain  of 
command  for  ISSOs  to  ensure  they  do  not  report  to  the  identified 
operational  elements  (Recommendation  l.b.(3)). 

In  its  September  28,  1999,  comments  on  the  final  report,  DFAS  changed  its 
position  from  partially  concurring  to  fully  concurring  in  the  two 
recommendations.  However,  subsequent  revisions  made  to  the  DFAS 
regulation  did  not  fully  create  a  security  structure  that  defines  the  chain  of 
command  for  the  ISSOs. 

DFAS  Regulation.  DFAS  made  many  positive  changes  to  strengthen  computer 
security  in  the  subsequent  revisions  it  made  to  DFAS  Regulation  8000. 1-R, 
“Information  Management  (IM)  Corporate  Policy”  (formerly  “Information 
Management  Policy  and  Instructional  Guidance”),  part  G.,  chapter  1,  “DFAS 
Information  Assurance  Policy,”  July  18,  2000. 

Operational  Element.  In  concert  with  Recommendation  l.b.(2)  in 
Inspector  General,  DoD,  Report  No.  99-107,  DFAS  revised  DFAS 
Regulation  8000. 1-R  to  define  the  operational  element  as  the  end-user 
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population  and  all  Central  Design  Aetivity  personnel  who  maintain  the  system 
software. 

ISSO  Chain  of  Command.  Other  revisions  made  by  DFAS  to  the 
regulation  did  not  ereate  a  seeurity  strueture  that  elearly  defined  the  ehain  of 
eommand  for  ISSOs  to  preelude  their  reporting  to  those  operational  elements,  as 
was  agreed  to  under  Reeommendation  l.b.(3)  in  Inspeetor  General,  DoD, 

Report  No.  99-107.  DFAS  Regulation  8000. 1-R  requires  the  Information 
System  Seeurity  Manager  to  appoint  the  ISSO.  However,  the  regulation  does 
not  identify  the  Information  System  Seeurity  Manager  or  any  other  offieial  as 
the  direet-line  supervisor  for  the  ISSO.  The  DIMS  Information  System  Seeurity 
Manager  verified  that  she  does  not  supervise  the  DIMS  ISSOs  at  DFAS  Denver. 

Repeat  Finding.  Until  February  2000,  seeurity  for  the  DIMS  Air  Foree-unique 
and  eore  resourees  was  the  responsibility  of  the  Direetor  for  Military  Pay- 
Air  Foree.  As  a  result  of  seeurity  problems  identified  with  DIMS  eore 
resourees,  the  DIMS  System  Manager  assumed  seeurity  responsibility  for  those 
eore  resourees  and  established  an  interim  DIMS  eore  seeurity  team.  Seeurity 
eontrol  over  Air  Foree-unique  resourees  remained  the  responsibility  of  the 
Direetor  for  Military  Pay— Air  Foree.  The  division  of  DIMS  seeurity 
responsibilities  was  a  positive  step  that  strengthened  the  independenee  of  DJMS- 
eore  seeurity.  However,  eontrary  to  Reeommendation  l.b.(3)  made  in  Inspeetor 
General,  DoD,  Report  No. 99-107,  three  ISSOs  responsible  for  DIMS 
Air  Foree-unique  seeurity  did  not  have  the  independenee  neeessary  to  effeetively 
exeeute  their  responsibilities  under  DoD  Direetive  5200.28.  Instead,  those  three 
ISSOs  were  assigned  to  the  Direetorate  for  Military  Pay— Air  Foree,  whieh  is 
part  of  the  operational  element  (end-user  population)  over  whieh  the  ISSOs  must 
enforee  eomputer  seeurity.  This  oeeurred  beeause  DFAS  Regulation  8000. 1-R 
did  not  ereate  a  seeurity  strueture  that  elearly  defined  the  ehain  of  eommand  for 
ISSOs  to  preelude  their  reporting  to  those  operational  elements.  The  DFAS 
regulation  should  be  revised  to  elearly  identify  the  direet-line  supervisor  over 
the  ISSOs  as  being  the  Information  System  Seeurity  Manager  or  another 
manager  who  is  not  part  of  the  operational  element  over  whieh  the  ISSO 
enforees  seeurity,  sueh  as  the  System  or  Projeet  Manager.  Corresponding 
ehanges  should  be  made  to  the  DIMS  memorandum  of  agreement. 

User  Access  Controls 


Prior  Audit.  Inspeetor  General,  DoD,  Report  No.  96-175  stated  that  DIMS 
Seeurity  Administrators  did  not  adequately  eontrol  user  aeeess  at  DFAS  Denver 
to  master  pay  datasets,  sensitive  profiles,  high-risk  owned  transaetions,  and  the 
multiple  use  table,  or  ensure  proper  separation  of  eonfiieting  duties  among 
users.  To  eorreet  these  problems,  the  prior  audit  reeommended  that  user  aeeess 
to  these  DIMS  resourees  be  reevaluated.  The  DFAS  Deputy  Direetor  for 
Information  Management  eoneurred,  stating  that  eorreetive  aetions  had  already 
been  eompleted. 

Repeat  Finding.  User  aeeess  to  DIMS  master  pay  datasets,  OTRANs,  and 
profiles  was  not  adequately  eontrolled  and  limited  to  users  with  a  valid  need  for 
aeeess  to  DIMS  eore  and  Air  Foree-unique  resourees.  In  addition,  DIMS 
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Security  Administrators  granted  conflicting  user  access  to  Customer  Information 
Control  System  (CICS)  regions  and  other  DIMS  resources. 

Datasets.  User  access  to  DIMS  critical  datasets  was  not  adequately 
controlled  and  limited  by  DIMS  Security  Administrators.  Specifically, 

58  Defense  Megacenter  Mechanicsburg  operations  personnel  and  10  DIMS 
production  control  personnel  could  make  changes  to  DIMS  datasets.  At  least 
462  individual  users  could  read  DIMS  Active  Component  and  DIMS  Reserve 
Component  source  code,  which  allowed  them  to  identify  and  possibly  take 
advantage  of  flaws  in  the  internal  control  system.  In  addition,  redundant  and 
conflicting  security  software  access  rules  were  written  for  Reserve  Component 
datasets.  Because  these  datasets  process  the  updates  to  the  master  military  pay 
record,  they  should  be  properly  maintained. 

Profiles.  User  access  to  profiles  was  not  adequately  controlled  and 
limited.  For  example,  proper  separation  of  conflicting  duties  was  not 
maintained  because  profiles  allowed  58  OTRANs  to  be  changed  by  DIMS 
production  control  personnel"*  and  gave  central  site  access  to  1 1  field-level 
personnel.  In  addition,  20  nontest  personnel  had  access  to  DIMS  test  resources 
by  a  system  test  acceptance  profile.  Uncontrolled  profile  access  further 
compromised  the  integrity  of  DIMS. 

Owned  Transactions.  User  access  was  not  adequately  limited  and 
proper  separation  of  conflicting  duties  was  not  maintained.  Excessive  access  to 
five  command-level  and  five  DIMS  active  duty  component  OTRANs  was 
granted.  During  this  audit,  security  personnel  limited  user  access  to  the 
command-level  OTRANs  and  one  of  the  DIMS  active  duty  component 
OTRANs.  However,  five  DIMS  active  duty  component  OTRANs  needed 
further  attention.  For  example,  169  users  had  production  access  to  the  final 
separation  payroll  and  48  users  had  on-line  delete  access  to  production  cases. 

In  addition,  proper  separation  of  conflicting  duties  was  not  maintained  with 
users  having  access  to  OTRANs.  A  conflict  situation  existed  with  37  users  who 
could  both  create  and  release  DIMS  transactions  to  the  master  pay  records. 
Furthermore,  user  access  to  the  DIMS  CICS  regions  was  not  adequately 
controlled  to  ensure  a  separation  of  conflicting  duties.  For  example,  565  users^ 
had  simultaneous  access  to  the  Air  Force  CICS  production  region  and  a  test 
region.  Unrestricted  access  given  to  DIMS  users  jeopardizes  the  integrity  of  the 
payroll  system.  The  DIMS  Security  Administrators  need  to  perform  periodic 
reviews  of  these  DIMS  resources  to  adequately  limit  user  access  and  ensure 
proper  separation  of  conflicting  duties. 


^The  DIMS  Security  Administrators  later  removed  the  access  to  those  datasets  granted  to  Defense 
megacenter  persoimel. 

‘*The  DIMS  Security  Administrators  later  removed  the  access  to  those  datasets  granted  to  DJMS 
production  control  staff. 

^The  number  of  users  was  reduced  from  the  total  reported  in  a  draft  of  this  report. 
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Technical  Expertise  and  Training.  Although  responsible  for  immediately 
resolving  high  priority  seeurity  issues,  only  one  of  the  eight  DIMS  Seeurity 
Administrators  possessed  the  qualifieations,  teehnieal  knowledge,  and  skills 
neeessary  to  effeetively  administer  DIMS  seeurity.  Beeause  most  DIMS 
Seeurity  Administrators  laeked  neeessary  job  skills  and  training,  they 
improperly  relied  on  the  user’s  supervisor  and  the  Terminal  Aeeess  Seeurity 
Offieer  to  request  appropriate  aeeess  for  DIMS  users.  The  DIMS  Seeurity 
Administrators  did  not  determine  through  their  own  researeh  whether  the 
requested  user  aeeess  was  appropriate  and  required  by  funetional  responsibility. 

Security  Training.  In  response  to  a  related  audit,®  DFAS  Arlington’  revised 
DFAS  Regulation  8000. 1-R  to  outline  speeifie  training  requirements  for  ISSOs 
and  other  DFAS  seeurity  positions  in  the  regulation.  (However,  the  revised 
DFAS  regulation  and  its  DFAS  Information  Assuranee  Training  and 
Certifieation  Plan  did  not  establish  appropriate  training  requirements  for  ISSOs.) 
Under  the  DFAS  regulation,  DIMS  and  other  ISSOs  are  only  required  to  meet 
the  training  requirements  for  “relatively  inexperieneed”  level  1  system 
administrators.  Paragraph  7.9  of  the  regulation  needs  to  be  revised  to  require 
that  ISSOs  meet  the  training  requirements  for  level  2  system  administrators. 
Level  2  system  administrators  are  deseribed  as  “the  workhorses  in  a  domain,” 
who  perform  the  majority  of  daily  tasks  that  keep  a  domain  running  smoothly. 

Summary.  Beeause  DIMS  Seeurity  Administrators  laeked  teehnieal  training 
and  expertise,  DIMS  resourees  were  not  seeure,  and  the  integrity  of  DIMS  pay 
data  was  in  jeopardy.  For  example,  in  Deeember  1999,  over  $152,000  in 
erroneous  payroll  payments  were  transmitted  to  the  Federal  Reserve  Bank  for 
payment  to  members  (though  later  reealled)  beeause  test  personnel  were 
improperly  given  aeeess  to  produetion  resourees  by  the  Air  Foree-unique  ISSOs, 
whose  seeurity  responsibilities  at  that  time  ineluded  DIMS  eore  resourees. 
Beeause  of  that  ineident,  the  DIMS  System  Manager  assumed  seeurity 
responsibilities  for  DIMS  eore  resourees. 

The  laek  of  teehnieal  expertise  and  training  for  most  DIMS  Seeurity 
Administrators  was  a  major  faetor  in  the  problems  diseussed  below  related  to 
eritieal-sensitive  aeeess,  user  aeeess  requests,  and  inaetive  users. 


'’Details  are  provided  in  Inspector  General,  DoD,  Report  No.  99-107,  “Computer  Security  for  the 
Defense  Civilian  Pay  System,”  March  16,  1999. 

’DFAS  Arlington  is  the  nomenclature  for  Headquarters,  DFAS. 
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Critical-Sensitive  Ratings 


Recommendations  were  made  in  two  prior  DIMS  audits  to  strengthen  the 
controls  over  access  to  critical-sensitive  resources. 

Inspector  General,  DoD,  Report  No.  96-175  reported  that  the  position 
descriptions  for  the  three  ISSOs  over  DIMS  Air  Force-unique  resources  had  not 
been  properly  rated  as  critical-sensitive.  A  critical-sensitive  rating  is  required 
by  DoD  Regulation  5200. 2-R  when  the  position  requires  access  to  computer 
systems  that  could  be  used  to  cause  grave  damage  to  the  application  or  data 
during  its  operation  or  maintenance.  DFAS  concurred  in  the  recommendations 
that  the  Director  for  Military  Pay— Air  Force  assume  responsibility  for 
designating  position  sensitivity  for  all  positions  created  within  the  directorate 
(Recommendation  C.3.b.)  and  verify  the  accuracy  of  the  sensitivity  level 
assigned  to  all  positions  within  the  directorate  in  accordance  with  DoD 
Regulation  5200. 2-R  (Recommendation  C.3.C.).  This  prior  audit  identified 
similar  problems  in  the  Directorate  of  Technology  Services  related  to  critical- 
sensitive  ratings  and  required  waivers,  which  were  subsequently  incorporated  in 
the  following  report. 

Inspector  General,  DoD,  Report  No.  97-203.  This  prior  audit 
reported  that  critical-sensitive  positions  in  the  Directorate  of  Technology 
Services  were  not  properly  rated  as  critical-sensitive,  requests  had  not  been 
made  for  required  background  investigations,  and  necessary  waivers  had  not 
been  obtained.  DoD  Regulation  5200. 2-R  requires  complete  background 
investigations  on  employees  who  will  occupy  critical-sensitive  positions  before 
their  appointment  to  those  positions.  To  avoid  a  delay  harmful  to  national 
security,  the  appointment  may  be  made  before  the  investigation  is  completed  if  a 
waiver  is  obtained  from  the  designated  official.  Corrective  action  by  DFAS 
Arlington  was  necessary  because  of  the  DFAS-wide  pattern  of  noncompliance 
with  those  DoD  security  requirements. 

In  accordance  with  the  mediation  agreement  with  the  Inspector  General,  DoD, 
on  May  10,  1999,  the  DFAS  Director  provided  written  assurance  that  DFAS 
was  in  compliance  with  the  Personnel  Security  Program.  The  director  stated 
that  the  sensitivity  ratings  for  position  descriptions  had  been  reviewed  and 
validated  and  appropriate  investigations  had  been  conducted  or  requested. 
Because  this  was  an  ongoing  process,  the  director  stated  that  procedures  were  in 
place  in  DFAS  Human  Resources  and  the  servicing  security  offices  to  continue 
meeting  program  requirements. 

Repeat  Finding.  Inadequate  security  controls  existed  over  individuals  with 
access  to  critical-sensitive  DIMS  software  and  pay  data. 

Interim  DJMS  Core  Security  Team.  Two  employees  on  the  interim 
DIMS  core  security  team  were  transferred  from  their  positions  as  financial 
systems  specialists,  which  were  rated  nonsensitive.  At  the  time  of  that  transfer, 
no  position  descriptions  had  been  developed  for  the  positions  occupied  by  those 
two  individuals  on  the  interim  DJMS  core  security  team.  Because  access  to 
critical-sensitive  DJMS  resources  was  required,  the  position  descriptions  for 
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those  security  positions  would  have  required  a  critical-sensitive  rating.  The 
internal  controls  designed  to  detect  personnel  movements  in  or  out  of  critical- 
sensitive  positions  and  automatically  generate  background  investigations  (and 
waivers,  when  appropriate)  did  not  work  in  this  situation.  That  is,  there  was  no 
change  in  position  descriptions  when  those  two  financial  system  specialists  were 
transferred  because  they  continued  to  work  under  their  old  position  descriptions. 
DFAS  employees  should  not  be  transferred  to  personnel  positions  when 
appropriate  position  descriptions  have  not  been  prepared  and  approved.  Such 
prohibitions  are  especially  important  when  a  change  in  the  sensitivity  rating  for 
the  old  or  new  position  is  involved. 

DJMS  Production  Control.  Of  the  nine  DIMS  production  control 
personnel,  four  contract  employees  in  DJMS  production  control  were 
inappropriately  granted  sensitive  system  access  by  the  ISSOs  for  DJMS 
Air  Force-unique  resources.  Two  contractors  did  not  have  the  required 
background  investigations  although  investigations  for  two  other  contractors  were 
in  process.  However,  no  waivers  had  been  obtained.  These  conditions 
occurred,  in  part,  because  the  supervisor  over  these  contract  employees  did  not 
request  waivers  when  background  investigations  had  not  been  completed. 
Supervisors  over  DJMS  users  should  receive  mandatory  training  in  their 
responsibilities  for  requesting  system  access 

Corrective  Action.  Background  investigations  were  initiated  for  two 
contractors  and  waivers  written  for  the  four  production-control  contract 
employees.  In  addition,  critical-sensitive  access  previously  granted  to  the  two 
members  of  the  interim  DJMS  core  security  team  was  reevaluated  and  removed. 
Subsequent  to  the  audit,  the  DJMS  System  Manager  stated  that  all  four  DJMS 
core  security  positions  (reduced  from  five  positions)  had  been  rated  as 
critical-sensitive. 

In  addition  to  the  repeat  findings,  two  other  DJMS  security  weaknesses  were 
identified  related  to  user  access  requests  and  inactive  users. 

User  Access  Requests 


Documentation  Controls.  User  access  to  DJMS  and  its  application  resources  is 
documented  and  controlled  by  the  DISA  Form  41,  “System  Authorization 
Access  Request.”  The  DFAS  Denver  Handbook  8000.1,  “Information  System 
Security  (INFOSEC)  Handbook,”  December  1999,  provides  the  following 
guidance  on  the  preparation  and  use  of  the  DISA  Form  41 . 

•  At  the  request  of  the  user’s  supervisor,  the  Terminal  Area  Security 
Officer  prepares  the  initial  DISA  Form  41  (and  subsequent 
modifications  and  deletions)  requesting  and  justifying  the  user’s 
access  to  specific  DJMS  resources. 

•  After  approval  by  the  user’s  supervisor,  the  Terminal  Area  Security 
Officer  forwards  the  DISA  Form  41  for  approval  to  the  functional 
data  owner,  the  security  manager,  and  finally  the  DJMS  ISSO. 
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•  After  reviewing  and  approving  the  DISA  Form  41,  the  DIMS  ISSO 
provides  the  system  aeeess  requested  for  the  user. 

The  DIMS  ISSO  should  not  approve  a  DISA  Form  41  that  is  ineomplete  or 
request  aeeess  that  eonfliets  with  other  aeeess  already  provided  to  the  user.  To 
evaluate  those  DISA  Form  41  eontrols,  the  audit  foeused  on  the  eritieal-sensitive 
aeeess  granted  under  13  user  IDs  to  10  DIMS  produetion  eontrol  users. 

DJMS  Production  Control.  Aeeess  to  eritieal-sensitive  DIMS  resourees  by 
DIMS  produetion  eontrol  users  under  13  user  IDs  was  not  properly  doeumented 
or  eontrolled  by  the  DISA  Form  41.  For  example,  no  DISA  Form  41  was 
available  to  doeument  the  initial  aeeess  that  was  requested  and  approved  for  4  of 
the  13  user  IDs. 

Of  the  63  DISA  Form  41s  provided  for  the  13  user  IDs: 

•  13  laeked  any  supervisory  justifieation  for  the  aeeess  requested  for 
the  user, 

•  17  had  not  been  approved  by  the  funetional  data  owner,  and 

•  7  had  not  been  approved  by  the  DJMS  ISSO. 

The  doeumentation  and  eontrol  problems  oeeurred  beeause  the  ISSOs  for 
Air  Foree-unique  resourees  and  the  supervisors  over  DJMS  produetion  eontrol 
users  were  not  adequately  trained  in  their  responsibilities  in  requesting  and 
granting  system  aeeess  using  the  DISA  Form  41.  Asa  result,  the  ISSOs  for 
Air  Foree-unique  resourees  granted  aeeess  to  DJMS  resourees  to  these 
produetion  eontrol  users  without  justifieation  or  proper  authorization.  Effeetive 
eontrols  over  the  DISA  Form  41  eould  have  identified  and  prevented  the 
problems  previously  diseussed  related  to  user  aeeess  eontrols  and  eritieal- 
sensitive  aeeess.  Mandatory  training  of  users’  supervisors  and  those  ISSOs 
should  improve  the  effeetiveness  of  this  doeumentation  eontrol. 

Inactive  Users 


The  ISSOs  for  DJMS  Air  Foree-unique  resourees  did  not  adequately  monitor 
user  aeeess  to  DJMS.  Speeifieally,  during  this  audit,  196  DJMS  Air  Foree- 
unique  users  had  not  aeeessed  the  system  in  over  180  days.  The  Computer 
Assoeiates  International,  Ine.,  TOP  SECRET  seeurity  software  used  to  proteet 
DJMS  resourees  and  loeally  developed  retrieval  programs  eould  have  been  used 
by  those  ISSOs  to  generate  reports  identifying  these  inaetive  user  IDs. 

However,  the  ISSOs  did  not  periodieally  generate  these  reports  beeause  they 
laeked  the  teehnieal  expertise  and  training  to  extraet  and  perform  sueh  user 
validations.  If  inaetive  user  IDs  are  not  promptly  suspended  (and  removed, 
when  appropriate),  haekers  eould  use  those  IDs  to  gain  unauthorized  aeeess  to 
the  system. 

Similar  problems  with  inaetive  user  IDs  were  reported  in  Inspeetor  General, 
DoD,  Report  No.  D-2001-052.  Under  Recommendations  l.f.  and  2.c.  to  that 
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report,  the  DISA  Area  Command  Meehaniesburg  and  DFAS  will  jointly  develop 
a  proeedure  for  reviewing  all  user  identifieation  eodes  not  used  within  35  days. 
Those  recommendations  and  the  improvement  recommended  by  this  report  in 
the  training  requirements  for  DIMS  ISSOs  should  improve  controls  over 
inactive  user  accounts.  Therefore,  no  additional  corrective  actions  are 
recommended  in  this  report. 

Recommendations,  Management  Comments,  and  Audit 
Response 


Revised  Finding  and  Recommendation.  Based  on  management’s  comments, 
we  revised  our  finding  discussion  of  ISSO  independence  and  the  related 
Recommendation  l.a.(l)  to  reiterate  Recommendation  l.b.(3)  made  in 
Inspector  General,  DoD,  Report  No.  99-107.  Additional  comments  are 
provided  in  the  audit  response  to  management  comments  on  the 
recommendation . 

1.  We  recommend  that  the  Director,  Defense  Finance  and 
Acconnting  Service,  revise: 

a.  Defense  Finance  and  Acconnting  Service  Regnlation 
8000. 1-R,  “Information  Management  (IM)  Corporate  Policy,”  part  G., 
chapter  1,  “DFAS  Information  Assnrance  Policy,”  Jnly  18,  2000,  to: 

(1)  Create  a  secnrity  strnctnre  within  the  Defense 
Finance  and  Acconnting  Service  that  defines  the  chain  of  command  for 
Information  System  Secnrity  Officers  to  ensnre  that  they  do  not  report  to 
the  operational  elements  over  which  secnrity  reqnirements  mnst  be 
enforced. 


(2)  Specifically  identify  and  establish  a  minimnm 
level  2  training  reqnirement  for  information  system  secnrity  officers  in  the 
discnssion  of  training  reqnirements  in  paragraph  7.9. 

b.  Memorandnm  of  Agreement  on  the  Defense  Joint  Military 
Pay  System,  Jnne  15,  2000,  in  concert  with  the  changes  recommended  to 
Defense  Finance  and  Acconnting  Service  Regnlation  8000. 1-R. 

Management  Comments.  DFAS  nonconcurred  with  the  Recommendation 
l.a.(l),  stating  that  the  mediation  agreement  on  Inspector  General,  DoD,  Report 
No.  99-107  had  resolved  the  ISSO  reporting  issue.  As  a  result,  DFAS  revised 
DFAS  Regulation  8000. 1-R  to  provide  autonomy  for  ISSOs  when  enforcing 
requirements  over  operational  elements.  Information  System  Security  Managers 
appoint  ISSOs,  who  cannot  be  assigned  to  the  end-user  population  of  a  system 
or  to  a  Central  Design  Activity  directly  supporting  the  production  system. 

ISSOs  report  to  the  Information  System  Security  Managers  on  security  matters 
with  an  advisory  provided  to  the  application’s  system  or  project  manager. 
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However,  DFAS  eoneurred  with  Reeommendations  l.a.(2)  and  l.b.,  stating  that 
the  reeommended  aetions  will  be  eompleted  by  Deeember  31,  2001,  and 
January  31,  2002,  respeetively. 

Audit  Response.  Contrary  to  management  eomments,  the  mediation  agreement 
on  Inspeetor  General,  DoD,  Report  No.  99-107  did  not  relate  to  Reeommenda- 
tion  l.a.(l)  on  defining  an  independent  ehain  of  command  through  which  ISSOs 
should  report.  Instead,  that  mediation  agreement  related  to  another 
recommendation  made  in  that  report  to  make  ISSOs  the  direct  supervisors  over 
certain  security  administrators.  However,  based  on  management’s  comments, 
we  revised  our  finding  discussion  of  ISSO  independence  to  reflect  the  impact  of 
management’s  concurrence  in  two  related  recommendations  made  in  Inspector 
General,  DoD,  Report  No.  99-107.  We  also  revised  our  draft  report’s 
Recommendation  l.a.(l)  to  reiterate  the  agreed  to  Recommendation  l.b. (3) 
made  in  Inspector  General,  DoD  Report  No.  99-107,  which  was  not  fully 
implemented  by  DFAS.  We  request  that  management  provide  additional 
comments  on  the  revised  recommendation,  including  the  related 
Recommendation  l.b.  on  the  DIMS  memorandum  of  agreement. 

2.  We  recommend  that  the  Director  for  Defense  Joint  Military  Pay 
System  Centralized  Systems  Management,  Defense  Finance  and  Accounting 
Service  Denver: 

a.  Direct  the  information  system  security  officer  to: 

(1)  Review  all  user  permissions  and  verify  that  proper 
separation  of  conflicting  duties  is  maintained  among  users  and  sensitive 
access  to  datasets,  profiles,  owned  transactions,  and  other  Defense  Joint 
Military  Pay  System  core  resources  is  granted  in  accordance  with 

DoD  Regulation  5200.2-R,  “Personnel  Security  Program,”  January  1987. 

(2)  Annually  provide  and  report  upon  training  given 
to  supervisors  and  security  administrators  on  their  responsibilities  in 
preparing  and  processing  the  Defense  Information  Systems  Agency 
Form  41,  “System  Authorization  Access  Request.”  Annual  attendance  at 
such  training  should  be  mandatory  for  all  supervisors  who  request  user 
access  to  system  core  resources  and  for  security  administrators  over  the 
system’s  core  and  Air  Force-unique  resources. 

(3)  Validate  and  document  all  user  access  to  the 
corresponding  Defense  Information  Systems  Agency  Form  41,  “System 
Authorization  Access  Request.” 

(4)  Annually  require  that  supervisors  over  system 
users  provide  written  assurance  that  position  descriptions  for  system  users 
are  assigned  the  proper  sensitivity  level  and  that  system  users  (including 
contractors)  with  critical-sensitive  access  to  automated  information  systems 
have  background  investigations  (and  where  appropriate,  interim  waivers 
pending  completion  of  such  investigations),  as  required  by  DoD  Regulation 
5200.2-R. 
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b.  Verify  that  position  descriptions  with  correct  sensitivity 
ratings  are  approved  for  each  position  before  filling  cnrrent  and  fntnre 
vacancies  on  the  system’s  core  secnrity  team. 

Management  Comments.  DFAS  concurred  in  all  the  reeommendations.  User 
aeeess  for  DIMS  eore  resourees  was  reviewed  and  validated  to  ensure  system 
aeeess  is  eontrolled.  In  addition,  training  was  provided  to  DIMS  eore 
supervisors  and  Terminal  Area  Seeurity  Offieers  on  their  responsibilities  in 
proeessing  the  system  authorization  requests.  Management  reviewed  and 
validated  eore  user  DISA  Form  41s.  Supervisors  will  provide  the  annual 
assuranee  on  position  sensitivity  and  required  baekground  investigations  for 
system  users.  Finally,  position  deseriptions  were  approved  for  eorreet 
sensitivity  ratings  in  the  DIMS  eore  seeurity  offiee.  All  eorreetive  aetions  will 
be  eompleted  in  FY  2001. 

3.  We  recommend  that,  pending  implementation  of 
Recommendation  l.a.(l),  the  Director,  Directorate  for  Military  Pay — Air 
Force,  Defense  Finance  and  Acconnting  Service  Denver,  direct  the 
information  system  secnrity  officers  to: 

a.  Review  all  nser  permissions  and  verify  that  proper 
separation  of  conflicting  dnties  is  maintained  among  nsers  and  sensitive 
access  to  datasets,  profiles,  owned  transactions,  and  other  Defense  Joint 
Military  Pay  System  Air  Force-nniqne  resonrces  is  granted  in  accordance 
with  DoD  Regnlation  5200.2-R. 

Management  Comments.  DFAS  concurred,  stating  that  corrective  aetions  will 
be  eompleted  in  FY  2001. 

b.  Attend  the  annnal  training  reqnired  by  Recommendation 
2.a.(2)  and  annnally  provide  and  report  npon  training  given  to  snpervisors 
on  their  responsibilities  in  preparing  and  processing  the  Defense 
Information  Systems  Agency  Form  41,  “System  Anthorization  Access 
Reqnest.”  Annnal  attendance  at  snch  training  shonld  be  mandatory  for  all 
snpervisors  who  reqnest  nser  access  to  Air  Force-nniqne  system  resonrces. 

Management  Comments.  DFAS  nonconcurred,  stating  that  training  was 
already  provided  to  DFAS  Denver  users,  as  is  done  at  other  loeations.  Revised 
instruetions  on  the  DISA  Form  41  were  issued.  Questions  ean  also  be  e-mailed 
to  the  ISSOs  for  DIMS  Air  Foree-unique  resourees.  DFAS  stated  that  a  training 
eourse  designed  for  the  various  loeations  servieed  by  the  Denver  ISSOs  would 
be  eumbersome  and  redundant. 

Audit  Response.  Management’s  eomments  are  nonresponsive.  The  annual 
training  eited  by  DFAS  is  not  an  adequate  substitute  for  the  reeommended  DISA 
Form  41  training.  The  training  already  given  to  all  DFAS  Denver  employees, 
whieh  foeuses  on  Internet  and  e-mail  polieies,  is  too  general  and  does  not 
address  the  DISA  Form  41.  Updating  DFAS  Denver  instruetions  on  the  DISA 
Form  41  is  a  positive  step,  but  will  not  ensure  that  ISSO,  Terminal  Area 
Seeurity  Offieers,  and  supervisors  eomply  with  those  instruetions.  Proper  use 
of  the  DISA  Form  41  is  eritieal  to  DIMS  seeurity  beeause  it  provides  the  basis 
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for  granting  access  to  users.  When  the  DISA  Form  41  is  not  properly  used,  as 
was  determined  by  this  audit,  a  higher  risk  exists  for  erroneous  payments  and 
unauthorized  ehanges  to  pay  data  and  system  resourees.  We  request  that  DFAS 
reeonsider  its  position  and  provide  additional  eomments  in  response  to  this 
report. 


c.  Validate  and  document  all  user  access  to  the  corresponding 
Defense  Information  Systems  Agency  Form  41,  “System  Authorization 
Access  Request.” 

Management  Comments.  DFAS  concurred,  stating  that  DISA  Form  41s  are 
reviewed  and  validated  when  they  are  submitted.  Other  routine  reports  identify 
other  irregularities  for  corrective  actions.  Corrective  action  was  completed 
October  27,  2000. 

Audit  Response.  The  DFAS  comments  are  only  partially  responsive  because 
they  are  incomplete.  DFAS  corrective  actions  addressed  the  review  and 
validation  accomplished  with  the  receipt  of  a  new  or  revised  DISA  Form  41. 
Additional  comments  are  required  to  describe  the  corrective  actions  taken  or 
planned  in  reviewing  and  validating  user  access  to  the  DISA  Form  41s  where 
such  access  did  not  change,  thus  not  prompting  the  submission  of  a  revised 
DISA  Form  41  to  the  ISSOs.  We  request  that  DFAS  provide  additional 
comments  in  response  to  this  report. 

d.  Annually  require  that  supervisors  of  system  users  provide 
written  assurance  that  position  descriptions  for  system  users  are  assigned 
the  proper  sensitivity  level  and  that  system  users  (including  contractors) 
with  critical-sensitive  access  to  automated  information  systems  have 
background  investigations  (and  where  appropriate,  interim  waivers  pending 
completion  of  such  investigations),  as  required  by  DoD  Regulation 
5200.2-R. 


Management  Comments.  DFAS  nonconcurred,  stating  that  position 
descriptions  for  the  ISSOs  for  DIMS  Air  Force-unique  resources  were  properly 
rated  as  critical-sensitive.  Management  also  stated  that  supervisors  and  human 
resources  review  position  sensitivity  ratings  and  individual  qualifications. 

Audit  Response.  DFAS  comments  are  nonresponsive  and  incomplete  with 
respect  to  the  corrective  actions  planned  or  completed  related  to  supervisory 
attestations  on  required  background  investigations  or  waivers.  Management’s 
comments  focused  on  the  process  for  assigning  sensitivity  ratings  to  position 
descriptions.  We  agree  that  assigning  the  proper  sensitivity  rating  to  a  position 
description  is  a  significant  control  when  that  position  description  is  first  created. 
That  control  should  automatically  trigger  requests  by  human  resources  for 
background  investigations  when  critical-sensitive  positions  are  filled.  However, 
the  control  is  effective  only  when  the  employee  remains  in  the  same  position. 
The  audit  determined  that  DIMS  employees  were  transferred  from  nonsensitive 
to  critical-sensitive  positions  for  which  no  approved  position  description  existed. 
Such  transfers  will  not  automatically  trigger  requests  for  background 
investigations  because  human  resources  staff  is  unaware  of  any  formal  change  in 
the  employee’s  position  description.  Thus,  requiring  supervisors  to  annually 
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attest  to  the  propriety  of  the  position  sensitivity  ratings  for  DIMS  users  is  a  fail¬ 
safe  eontrol  intended  to  identify  users  who  may  have  transferred  to  positions 
with  different  sensitivity  ratings. 

Management’s  eomments  did  not  address  the  supervisory  attestations  on 
required  baekground  investigations  or  waivers.  The  audit  determined  that 
eontraet  employees  with  eritieal-sensitive  aeeess  did  not  have  required 
baekground  investigations  or  waivers.  Obtaining  baekground  investigations  on 
employees  with  eritieal-sensitive  aeeess  is  a  erueial  eontrol  beeause  of  the  grave 
damage  sueh  employees  eould  do  to  DIMS  resourees.  We  request  that  DFAS 
reeonsider  its  position  and  provide  additional  eomments  in  response  to  this 
report. 


4.  We  recommend  that  the  Director,  Human  Resources,  Defense 
Finance  and  Accounting  Service  Support  Services  Denver,  establish 
procedures  to  periodically  alert  site  supervisors  to  the  importance  of  and 
requirement  that  appropriate  position  descriptions  be  established  for  all 
personnel  positions  before  filling  such  vacancies  by  promotion  or 
reassignment. 

Management  Comments.  DFAS  concurred,  stating  that  a  memo  was  sent  to 
all  direetors,  advising  that  appropriate  position  deseriptions  must  be  established 
for  all  positions  before  filling  vaeaneies.  Similar  alerts  will  be  provided  at  the 
beginning  of  eaeh  ealendar  year. 
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Appendix  A.  Audit  Process 


Scope 


Work  Performed.  We  evaluated  the  eontrols  over  organizational  plaeement  of 
the  ISSOs,  user  aeeess  to  the  DIMS  applieation  resourees,  sensitivity  ratings  of 
personnel  with  sensitive  aeeess  to  DIMS  applieation  resourees,  user  aeeess 
requests,  and  inaetive  users.  To  test  seeurity  rules  and  aeeess  authorizations, 
we  used  the  audit  features  of  the  Computer  Assoeiates  International,  Ine.,  TOP 
SECRET  seeurity  software. 

Limitations  to  Audit  Scope.  The  review  of  the  management  eontrol  program, 
as  it  related  to  the  overall  audit  objeetive,  is  reported  in  Inspeetor 
General,  DoD,  Report  No.  D-2001-052,  “Controls  Over  the  Defense  Joint 
Military  Pay  System,”  Eebruary  15,  2001. 

DoD-Wide  Corporate  Level  Government  Performance  and  Results  Act 
Goals.  In  response  to  the  Government  Performanee  and  Results  Aet,  the 
Seeretary  of  Defense  annually  establishes  DoD-wide  eorporate-level  goals, 
subordinate  performanee  goals,  and  performanee  measures.  Although  the 
Seeretary  of  Defense  has  not  established  any  goals  for  Information  Assuranee, 
the  General  Aeeounting  Offiee  lists  it  as  a  high  risk  area.  This  report  pertains  to 
Information  Assuranee  as  well  as  aehievement  of  the  following  goal,  subordinate 
performanee  goal,  and  performanee  measures. 

•  FY  2001  Corporate-level  Goal  2:  Prepare  now  for  an  uneertain 
future  by  pursuing  a  foeused  modernization  effort  that  maintains  U.S. 
qualitative  superiority  in  key  warfighting  eapabilities.  Transform  the 
foree  by  exploiting  the  Revolution  in  Military  Affairs,  and  reengineer 
the  Department  to  aehieve  a  21st  eentury  infrastrueture.  (Ol-DoD-2) 

•  FY  2001  Subordinate  Performance  Goal  2.5:  Improve  DoD 
fmaneial  and  information  management.  (Ol-DoD-2.5) 

•  FY  2001  Performance  Measure  2.5.1:  Reduce  the  number  of 
noncompliant  finance  and  accounting  systems.  (Ol-DoD-2.5.1) 

•  FY  2001  Performance  Measure  2.5.3:  Qualitative  assessment  of 
reforming  information  technology  management.  (Ol-DoD-2.5.3) 

DoD  Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  have 
also  established  performance  improvement  reform  objectives  and  goals.  This 
report  pertains  to  achievement  of  the  following  functional  area  objectives  and 
goals. 


•  Financial  Management  Functional  Area.  Objective:  Strengthen 
internal  controls.  Goals:  Improve  compliance  with  the  Federal 
Managers’  Financial  Integrity  Act.  (FM-5.3) 
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•  Information  Technology  Management  Functional  Area. 

Objective:  Ensure  that  vital  DoD  information  resources  are  secure 
and  protected.  Goal:  Assess  the  information  assurance  posture  of 
DoD  operational  systems.  (ITM-4.4) 

General  Accounting  Office  High  Risk  Area.  The  General  Accounting  Office 
has  identified  several  high  risk  areas  in  the  DoD.  This  report  provides  coverage 
of  the  Information  Security  and  Defense  Financial  Management  high  risk  areas. 

Methodology 


Use  of  Computer-Processed  Data.  We  relied  on  computer-processed  data 
extracted  from  the  security  software  database  provided  by  Computer  Associates 
International,  Inc.,  TOP  SECRET  security  software  for  DIMS.  All  systems 
testing  and  use  of  security  software  audit  tools  were  accomplished  in  a 
controlled  environment  with  management  approval.  We  used  automated  and 
manual  techniques  to  analyze  system  data.  Based  on  those  tests  and 
assessments,  we  concluded  that  the  data  were  sufficiently  reliable  to  be  used  in 
meeting  the  audit  objectives. 

Audit  Type,  Dates,  and  Standards.  This  financial-related  audit  was 
performed  from  March  2000  through  March  2001.  We  did  our  work  in 
accordance  with  generally  accepted  Government  auditing  standards  except  that 
we  were  unable  to  obtain  an  opinion  on  our  system  of  quality  control.  The  most 
recent  external  quality  control  review  was  withdrawn  on  March  15,  2001,  and 
we  will  undergo  a  new  review. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  Further  details  are  available  on  request. 
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Appendix  B.  Prior  Coverage 


During  the  past  5  years,  the  Inspeetor  General,  DoD,  issued  two  reports  related  to 
DIMS  information  system  seeurity  eontrols.  The  reports  are  listed  below. 

Inspector  General,  DoD 

Report  No.  97-203,  “Applieation  Controls  Over  the  Defense  Joint  Military  Pay 
System  Reserve  Component,”  August  15,  1997 

Report  No.  96-175,  “Computer  Seeurity  Over  the  Defense  Joint  Military  Pay 
System,”  June  25,  1996 

This  audit  followed  up  on  speeifie  reeommendations  made  in  those  two  reports.  The 
prior  audits  identified  problems  similar  to  those  diseussed  in  the  Finding  seetion  of  this 
report,  whieh  are  identified  as  repeat  findings.  The  results  of  the  followup  made  in  this 
audit  are  summarized  in  the  Table  below  and  are  detailed  in  the  report  diseussion. 


Followup  Status  of  Prior  Audit  Recommendations 

Inspector  General,  DoD, 
Report  and 

Recommendation 

Corrective  Action  Taken 

Audit  Followup  Results 

Report  No.  96-175, 
Recommendation  A.l.a. 

The  Director  for  Military 
Pay— Air  Force,  DFAS 
Military  and  Civilian 
Services  (formerly  the 
Director,  Directorate  of 
Military  Pay,  DFAS 

Denver  Center)  should 
direct  ISSOs  to  review  and 
verify  user  access  to  master 
pay  datasets,  sensitive 
profiles,  multiple  user 
tables,  and  high-risk  owned 
transactions. 

DFAS  concurred,  stating 
that  corrective  action  was 
complete.  Regular  audits 
of  the  master  pay  datasets, 
profiles,  critical  commands 
(OTRANs)  had  been  made 
and  would  continue. 

A  repeat  finding  is  reported 
in  this  report,  as  discussed 
under  User  Access 

Controls.  The  prior 
recommendation  was 
appropriate  (and  is 
reiterated  in  this  report). 
However,  current  DJMS 
Security  Administrators 
lacked  the  technical 
expertise  and  training  to 
effectively  implement  the 
recommended  corrective 
actions. 
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Inspector  General,  DoD, 
Report  and 

Recommendation 

Corrective  Action  Taken 

Audit  Followup  Results 

Report  No.  96-175, 
Recommendation  A.l.b. 

The  Director  for  Military 
Pay— Air  Force  should 
direct  ISSOs  to  review  and 
verify  user  access  to  ensure 
adequate  separations  of 
conflicting  duties. 

DFAS  concurred,  stating 
that  corrective  action  was 
complete.  Central  site 
profiles  were  reviewed  and 
discrepancies  corrected  to 
ensure  separation  of 
conflicting  duties.  The 
“Access”  profile  was 
reviewed  and  critical 
production  datasets  were 
changed  to  read-only 
access. 

A  repeat  finding  is  reported 
in  this  report,  as  discussed 
under  User  Access 

Controls.  The  prior 
recommendation  was 
appropriate  (and  is 
reiterated  in  this  report). 
However,  current  DIMS 
Security  Administrators 
lacked  the  technical 
expertise  and  training  to 
effectively  implement  the 
recommended  corrective 
actions. 

Report  No.  96-175, 
Recommendation  A.l.c. 

The  Director  for  Military 
Pay— Air  Force  should 
direct  ISSOs  to  remove 
Global  Access  Permission 
from  all  sensitive  profiles. 

DFAS  concurred  and 
removed  the  Global  Access 
Permission  attribute  from 
the  five  profiles. 

Audit  followup  verified  that 
the  attribute  was  removed 
from  sensitive  profiles. 

Report  No.  96-175, 
Recommendation  C.3.a. 

The  Director  for  Military 
Pay— Air  Force  should 
realign  the  directorate  so 
that  the  ISSO  reports  to  the 
director. 

This  recommendation  was 
superceded  by  two 
recommendations  made  in 
Inspector  General,  DoD, 
Report  No.  99-107  to 
revise  a  DFAS  information 
security  regulation  to 
define  the  operational 
elements  of  each  automated 
information  system  over 

A  repeat  finding  is  reported 
in  this  report,  as  discussed 
under  ISSO  independence. 
The  prior  recommendation 
was  appropriate  but  the 
changes  made  to  the  DFAS 
regulation  did  not  clearly 
establish  an  independent 
chain  of  command  through 
which  ISSOs  should  report. 
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Inspector  General,  DoD, 
Report  and 

Recommendation 

Corrective  Action  Taken 

Audit  Followup  Results 

Report  No.  96-175, 
Recommendation  C.3.a. 

(coin’d) 

which  ISSOs  must  enforce 
security  requirements 
(Recommendation  l.b.(2)), 
and  create  a  security 
structure  within  DFAS  that 
defines  the  chain  of 
command  for  ISSOs  to 
ensure  they  do  not  report  to 
the  identified  operational 
elements  (Recommendation 

1 .  b .  (3)) .  In  additional 
comments  on  that  report, 
DFAS  concurred.  DFAS 
revised  the  regulation  to 
define  the  operational 
elements  but  did  not  fully 
implement  the  second 
recommendation . 

This  report  reiterates 
Recommendation  l.b.(3)  in 
Inspector  General,  DoD, 
Report  No.  99-107. 

Report  No.  96-175, 
Recommendation  C.3.b. 

The  Director  for  Military 
Pay— Air  Force  should 
assume  responsibility  for 
designating  position 
sensitivity  for  all  positions 
created  within  the 
directorate. 

DFAS  concurred,  stating 
the  sensitivity  rating  for  the 
three  DIMS  Air  Force- 
unique  ISSOs  was  upgraded 
to  critical-sensitive. 

The  condition  identified  by 
the  prior  audit  was 
subsequently  incorporated 
in  a  DFAS-wide  finding 
and  recommendation.  See 
the  discussion  below  for 
details  on  the  repeat  finding 
reported  in  this  report 
related  to  followup  made 
on  Report  No.  97-203, 
Recommendation  B .  3 .  a . 

Report  No.  96-175, 
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Inspector  General,  DoD, 
Report  and 

Recommendation 

Corrective  Action  Taken 

Audit  Followup  Results 

Recommendation  C.3.c. 

The  Director  for  Military 
Pay— Air  Force  should 
verify  the  accuracy  of 
sensitivity  levels  assigned 
to  all  directorate  positions. 

DFAS  concurred,  stating 
that  the  Defense  Security 
Service  was  processing 
required  security  clearances 
for  directorate  positions. 

The  condition  identified  by 
the  prior  audit  was 
subsequently  incorporated 
in  a  DFAS-wide  finding 
and  recommendation.  See 
the  discussion  below  for 
details  on  the  repeat  finding 
reported  in  this  report 
related  to  followup  made 
on  Report  No.  97-203, 
Recommendation  B .  3 .  b . 

Report  No.  97-203, 
Recommendation  B.2. 

The  Director,  Directorate 
for  Support  Services, 

DFAS  Support  Services 
Denver  (formerly  Director, 
Directorate  for  Software 
Engineering-Military  Pay, 
DFAS  Financial  Systems 
Organization)  should 
request  access  to  DIMS 
resources  directly  from 
DIMS  ISSOs. 

DFAS  concurred,  stating 
that  procedures  were 
established  to  request 
system  access  through  the 
DIMS  coordinating  ISSO. 

Audit  followup  verified  that 
the  procedures  were 
developed. 

Report  97-203, 
Recommendation  B.3.a. 

The  DFAS  Director  should 
emphasize  security  by 
requiring  each  site  director 
(formerly  center  directors) 
and  the  Director  for 
Information  and 

DFAS  partially  concurred. 
Under  the  mediation 
agreement  with  the 

Inspector  General,  DoD, 
the  DFAS  Director  was  to 
issue  directions  to  each  site 
director  and  the  Director 

Audit  followup  was  limited 
to  DFAS  Denver.  A  repeat 
finding  is  reported  in  this 
report,  as  discussed  under 
Critical-Sensitive  Ratings. 
The  prior  recommendation 
was  appropriate  for  a 

Report  97-203, 
Recommendation  B.3.a. 

for  Information  and 
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Inspector  General,  DoD, 
Report  and 

Recommendation 

Corrective  Action  Taken 

Audit  Followup  Results 

(coin’d)  Technology 
(formerly  Deputy  Director, 
Information  Management) 
to  provide  written 
assurance  that  sensitivity 
levels  are  assigned  to  all 
personnel  positions  in 
accordance  with  DoD 
Regulation  5200. 2-R. 

Technology  to  verify 
compliance  with  personnel 
security  requirements, 
including  the  sensitivity 
assigned  to  all  DFAS 
positions.  These  directors 
would  be  required  to 
provide  the  DFAS  Director 
with  written  assurance 
when  compliance  was 
achieved. 

one-time  action  at  the 
Director’s  level.  However, 
the  recommendation  is 
reiterated  in  this  followup 
report  but  specific  only  to 
DIMS  users.  Secondary 
internal  controls  were 
circumvented  or  not 
followed.  The  primary 
control  (the  DIMS  Security 
Administrators)  failed 
because  most  of  these 
security  administrators 
were  not  adequately  trained 
in  their  responsibilities  in 
granting  system  access 
requests.  This  report 
recommends  ISSO  training 
and  alerts  to  Denver  site 
managers  to  the  importance 
of  establishing  appropriate 
position  descriptions  before 
filling  personnel  vacancies. 

Report  No.  97-203, 
Recommendation  B.3.b. 

The  DFAS  Director  should 
emphasize  security  by 
requiring  each  site  director 
and  the  Director  for 
Information  and 

Technology  to  provide 
written  assurance  that  all 
personnel  with  sensitive 
access  to  automated 

DFAS  partially  concurred. 

In  response  to  the 
mediation  agreement  with 
the  Inspector  General, 

DoD,  the  DFAS  Director 
was  to  issue  directions  to 
each  site  director  and  the 
Director  for  Information 
and  Technology  to  verify 
compliance  with  personnel 

Audit  followup  was  limited 
to  DFAS  Denver.  A  repeat 
finding  is  reported  in  this 
report,  as  discussed  under 
Critical-Sensitive  Ratings. 
The  prior  recommendation 
was  appropriate  for  a  one¬ 
time  action  at  the 

Director’s  level.  However, 
the  recommendation  is 

Report  No.  97-203, 
Recommendation  B.3.b. 

security  requirements. 

reiterated  in  this  followup 
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Inspector  General,  DoD, 
Report  and 

Recommendation 

Corrective  Action  Taken 

Audit  Followup  Results 

(cont’d)  information  systems 
have  background 
investigations  (and  where 
appropriate,  interim 
waivers  pending 
completion  of  such 
investigations),  as  required 
by  DoD  Regulation 
5200.2-R. 

including  background 
investigative  requirements 
for  all  DFAS  positions. 

These  directors  would  be 
required  to  provide  the 

DFAS  Director  with 
written  assurance  when 
compliance  was  achieved. 

report  but  specific  only  to 
DIMS  users.  The  primary 
control  (the  DIMS  Security 
Administrators)  failed 
because  most  of  these 
security  administrators 
were  not  adequately  trained 
in  their  responsibilities  in 
granting  system  access 
requests.  This  report 
recommends  ISSO  training. 
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Appendix  C.  File  Transfer  Protocol 


The  DIMS  System  Manager  identified  seeurity  risks  in  the  use  of  a  loeally 
developed,  file  transfer  protoeol,  whieh  was  ealled  the  File  Transfer  Inter faee. 
This  file  transfer  protoeol  was  used  by  the  DIMS  applieation  to  transfer  data 
between  loeations.  Although  not  part  of  our  audit  objeetives,  we  evaluated  the 
eorreetive  aetion  taken  by  management  related  to  this  file  transfer  protoeol. 

The  DIMS  System  Manager  determined  that  the  File  Transfer  Interfaee  software 
did  not  adequately  eontrol  the  DIMS  data  that  it  sent  and  reeeived  from  remote 
loeations.  Speeifieally,  user  IDs  for  the  File  Transfer  Interfaee  were  shared,  the 
passwords  were  non-expiring,  and  the  identity  of  the  transfer  souree  was  not 
validated.  The  File  Transfer  Interfaee  software  eompleted  a  series  of  systemie, 
high-level  qualifier  validations  to  either  aeeept  or  rejeet  data  in  a  DIMS  update. 
However,  these  validations  did  not  mitigate  the  risks  developed  by  sharing  user 
IDs  or  using  non-expiring  passwords.  As  a  result,  DIMS  data  eould  be 
eompromised. 

We  determined  that  the  Departmental  Aeeounting  Systems  Support  Braneh, 
Direetorate  for  Teehnology  Serviees,  DFAS  Support  Serviees  Denver,  was 
aetively  working  with  DISA  Meehaniesburg  to  find  a  suitable  file  transfer 
software  that  meet  the  seeurity  requirements  of  both  DFAS  and  DISA.  In 
addition,  unique  user  IDs  will  be  required  to  use  the  File  Transfer  Interfaee. 
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Appendix  D.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller) 
Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Naval  Inspector  General 

Auditor  General,  Department  of  the  Navy 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 


Other  Defense  Organizations 

Director,  Defense  Finance  and  Accounting  Service 

Non-Defense  Federal  Organizations 

Office  of  Management  and  Budget 


Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
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Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member  (cont’d) 

House  Committee  on  Appropriations 

House  Subeommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Serviees 
House  Committee  on  Government  Reform 

House  Subeommittee  on  Government  Effieieney,  Finaneial  Management,  and 
Intergovernmental  Relations,  Committee  on  Government  Reform 
House  Subeommittee  on  National  Seeurity,  Veterans  Affairs,  and  International 
Relations,  Committee  on  Government  Reform 
House  Subeommittee  on  Teehnology  and  Proeurement  Poliey,  Committee  on 
Government  Reform 
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Defense  Finance  and  Accounting  Service 
Comments 


Final  Report 
Reference 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 

KANSAS  CITY,  MlSSOUfll  64197-0001 


may  2  2  2001 


MEMORftNDDM  FOR  DEPUTY  ASSISTANT  INSPECTOR  GENERAL  FOR  AUDITING, 
OFFICE  OF  THE  INSPECTOR  GENERAL,  DEPARTMENT  OF 
DEFENSE,  ARLINGTON,  VIRGINIA 

SUBJECT:  Comments  on  Draft  Audit  Report  on  Defense  Joint 

Military  Pay  System  Security  Functions  at  Defense 

Finance  and  Accounting  Service  Denver 

(Project  No.  D2000FG0052.001) ,  dated  March  16,  2001 


The  requested  comments  to  the  subject  draft  audit  report 
are  provided  below: 

Recommendation  l.a.  (1) :  "The  Director,  Defense  Finance  and 
Accounting  Service,  revise  the  Defense  Finance  and  Accounting 
Service  Regulation  SOOO.l-R,  "Information  Management  (IM) 
Corporate  Policy,"  Part  G.,  Chapter  1,  "DFAS  Information 
Assurance  Policy,"  July  18,  2000,  to  specify  that  information 
system  security  officers  (ISSOs)  shall  report  directly  to  the 
project  or  system  manager  for  each  information  system,  where 
appropriate  or  to  functional  application  managers  at  each  agency 
site  such  as  the  Director  for  Military  Pay  -  Air  Force." 

DFAS  Comments:  Non-Concur. 

Rationale  for  Non-concurrence:  The  same  ISSO  reporting 
issue  described  in  this  report  has  been  successfully  mediated  in 
the  response  to  the  audit  report  for  the  Defense  Civilian  Pay 
System,  dated  August  13,  2000.  As  a  result  of  the  mediation 
agreement,  dated  December  21,  1999,  DFAS  has  revised  DFAS 
Regulation  80001. 1-R  to  provide  autonomy  for  ISSOs  when 
enforcing  requirements  over  operational  elements.  ISSMs  appoint 
in  writing  an  ISSO  for  each  information  system  that  receives  its 
primary  support  within  the  ISSM' s  activity.  To  further  promote 
ISSO  independence,  an  ISSO  cannot  be  assigned  to  the  end-user 
population  of  the  system  or  to  a  Central  Design  Activity 
directly  supporting  a  production  system.  ISSOs  report  security 
incidents,  vulnerabilities  and  assessments  to  the  supporting 
ISSM  with  an  advisory  to  the  PM/SM.  DFAS  implemented  the  new 
procedures  in  July  2000  and  feels  that  time  is  needed  to  prove 
its  effectiveness. 


DFAS-PSM/DE 


See  revised 
recommen¬ 
dation  and 
Finding 
discussion  of 
ISSO 
indepen¬ 
dence. 


Audit  report 
date  was 
March  16, 

1999,  not 
August  13, 

2000. 
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Recommendation  l.a.(21:  "We  recommend  that  the  Director, 
Defense  Finance  and  Accounting  Service,  revise  the  Defense 
Finance  and  Accounting  Service  Regulation  8000. 1-R,  "Information 
Management  (IM)  Corporate  Policy,"  part  G.,  Chapter  1,  "DFAS 
Information  Assurance  Policy,"  July  18,  2000,  to:  Specifically 
identify  and  establish  a  minimum  level  2  training  requirement 
for  information  system  security  officers  in  the  discussion  of 
training  requirements  in  paragraph  7.9," 

DFAS  Comments:  Concur.  DFAS  will  re-evaluate  its 
Information  Assurance  (lA)  Training  and  Certification  Plan  to 
ensure  that  lA  personnel  are  trained  to  perform  the  tasks 
associated  with  their  designated  responsibilities  for 
safeguarding  DFAS  information  systems.  DFAS  will  identify  and 
establish  training  requirements  for  lA  personnel  (i.e.,  ISSMs, 
ISSOs,  and  TASOs)  at  a  level  equivalent  to  Level  2  for  system 
administrators.  ECD;  December  31,  2001. 

Recommendation  l.b:  "We  recommend  that  the  Director, 

Defense  Finance  and  Accounting  Service,  revise  Memorandum  of 
Agreement  on  the  Defense  Joint  Military  Pay  System,  June  15, 
2000,  in  concert  with  the  changes  recommended  to  Defense  Finance 
and  Accounting  Service  Regulation  8000. 1-R." 

DFAS  Comments:  Concur.  The  Memorandum  of  Agreement  on  the 
Defense  Joint  Military  Pay  System,  June  15,  2000,  will  be 
updated  to  reflect  the  Defense  Finance  and  Accounting  Service 
Regulation  8000. 1-R.  changes  identified  in  recommendation 
l.a(2).  ECD;  January  31,  2002. 

Recommendation  2. a. (1) :  "The  Director  for  Defense  Joint 
Military  Pay  System  Centralized  Systems  Management,  Defense 
Finance  and  Accounting  Service  Denver,  direct  the  information 
systems  security  officer  to  review  all  user  permissions  and 
verify  that  proper  separation  of  conflicting  duties  is 
maintained  among  users  and  sensitive  access  to  datasets, 
profiles,  owned  transactions,  and  other  Defense  Joint  Military 
Pay  System  core  resources  is  granted  in  accordance  with  DoD 
Regulation  5200. 2-R,  "Personnel  Security  Program,"  January 
1987." 
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Comments :  Concur.  User  permissions  are  continuously 
being  reviewed  on  the  DJMS.  Separation  of  duties  is  maintained 
among  users  by  checking  for  conflicting  profiles  on  userids  and 
conflicting  access  levels  on  CICS  regions  within  profiles. 
Critical  datasets  with  more  than  "read"  access  have  been 
identified  and  an  audit  attribute  has  been  added  to  them.  Owned 
transactions  (OTRANs)  that  have  been  identified  as  sensitive 
have  been  audited  and/or  placed  in  profiles  and  checked  for 
separation  of  duties.  File  Transfer  Protocol  (FTP)  userids  are 
restricted  to  only  authorized  users  and  are  audited,  Userids 
are  checked  for  last  used  dates  and  suspended  or  deleted  based 
on  that  date/  as  applicable.  ECD:  Completed  September  30,  2000. 

Recommendation  2.a.(2):  "The  Director  for  Defense  Joint 
Military  Pay  System  Centralized  Systems  Management,  Defense 
Finance  and  Accounting  Service  Denver,  direct  the  information 
systems  security  officer  to  annually  provide  and  report  upon 
training  given  to  supervisors  and  security  administrators  on 
their  responsibilities  in  preparing  and  processing  the  Defense 
Information  Systems  Agency  (DlSA)  Form  41,  "System  Authorization 
Access  Request."  Annual  attendance  at  such  training  should  be 
mandatory  for  all  supervisors  who  request  user  access  to  system 
core  resources  and  for  security  administrators  over  the  system's 
core  and  Air  Force-unique  resources." 

DFAS  Comments;  Concur.  The  DJMS  Core  Security  Office  has 
prepared  and  presented  DJMS  specific  training  to  all  core 
supervisors  and  TASOs.  The  annual  training  provides  specific 
instruction  relating  to  DJMS  to  include  DISA  Form  41,  "System 
Authorization  Access  Request"  preparation  and  processing, 
password  review,  and  Computer  Associates  Top  Secret  (CA-TSS) 
security  software  "list"  and  "reset"  command  instructions.  The 
attendance  of  this  training  was  documented  and  will  be 
maintained  by  the  DJMS  Core  Security  Office.  ECD:  Completed 
January  30,  2001. 

Recommendation  2. a. (3) :  "The  Director  for  Defense  Joint 
Military  Pay  System  Centralized  Systems  Management,  Defense 
Finance  and  Accounting  Service  Denver,  direct  the  information 
systems  security  officer  to  validate  and  dociiment  all  user 
access  to  the  corresponding  DISA  Form  41,  'System  Authorization 
Access  Request' 

DFAS  Comments;  Concur.  The  DJMS  Core  Security  Office  has 
reviewed  and  validated  all  core  users  DISA  Form  41s. 

Additionally,  supporting  documentation  has  been  attached  to  the 
DISA  Form  41s  to  provide  further  audit  trail,  clarification,  and 
justification.  ECD:  Completed  September  14,  2000. 
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Recommendation  2.a.(4):  "The  Director  for  Defense  Joinr 
Military  Pay  System  Centralized  Systems  Management,  Defense 
Finance  and  Accounting  Service  Denver,  direct  the  information 
systems  security  officer  to  annually  require  that  supervisors 
over  system  users  provide  written  assurance  that  position 
descriptions  for  system  users  are  assigned  the  proper 
sensitivity  level  and  that  system  users  (Including  contractors) 
with  critical-sensitive  access  to  automated  information  systems 
have  background  investigations  (and  where  appropriate,  interim 
waivers  pending  completion  of  such  investigation) ,  as  required 
by  DoD  5200. 2-R." 

DFAS  Comments:  Concur.  Supervisors  are  required  to 
annually  certify  an  Assurance  Statement  certifying  all  position 
descriptions  for  system  users  are  assigned  the  appropriate 
sensitivity  level  to  include  that  their  employees  with  critical- 
sensitive  access  have  the  appropriate  level  of  background 
investigation.  The  DJMS  Core  Security  Office  maintains  the 
Assurance  Statements.  Additionally,  before  a  user  is  permitted 
a  hi  level  of  critical  access,  the  user  must  provide  a  correctly 
prepared  DISA  Form  41  to  include  proof  of  the  appropriate 
background  investigation  and/or  a  valid  security  waiver,  as 
applicable.  ECD;  May  31,  2001. 

Recommendation  2.b:  "The  Director  for  Defense  Joint 
Military  Pay  System  Centralized  Systems  Management,  Defense 
Finance  and  Accounting  Service  Denver,  verify  that  position 
descriptions  with  correct  sensitivity  ratings  are  approved  for 
each  position  before  filling  current  and  future  vacancies  on  the 
system's  core  security  team." 

DFAS  Comments ;  Concur.  Position  descriptions  with  the 
correct  sensitivity  rating  for  each  position  in  the  DJMS  Core 
Security  Office  are  approved.  Additionally,  prior  to  filling 
future  vacancies,  position  descriptions  will  be  reviewed  to 
ensure  that  the  appropriate  sensitivity  ratings  are  represented. 
ECD:  Completed  September  8,  2000. 

Recommendation  3. a:  "The  Director,  Directorate  for  Military 
Pay  -  Air  Force,  Defense  Finance  and  Accounting  Service  Denver, 
direct  the  ISSOs  to  review  all  user  permissions  and  verify  that 
proper  separation  of  conflicting  duties  is  maintained  among 
users  and  sensitive  access  to  datasets,  profiles,  owned 
transactions,  and  other  Defense  Joint  Military  Pay  System  Air 
Force-unique  resources  is  granted  in  accordance  with  DoD 
Regulation  5200. 2-R." 
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DFAS  Comments;  Concur.  The  DISA  Forms  41  and  the 
individual's  records  have  been  reviewed  to  ensure  that 
conflicting  profiles  are  not  assigned.  Additionally,  Air  Force 
Military  Pay  Operations  is  developing  written  procedures  for 
modifying  conflicting  profiles,  ECD:  May  31,  2001. 

Recommendation  3.b;  "The  Director,  Directorate  for  Military 
Pay  -  Air  Force/  Defense  Finance  and  Accounting  Service  Denver, 
direct  the  ISSOs  to  attend  the  annual  training  required  by 
Recominendation  2. a.  (2).  and  annually  provide  and  report  upon 
training  given  to  supervisors  on  their  responsibilities  in 
preparing  and  processing  the  DISA  Form  41,  'System  Authorization 
Access  Request' .  Annual  attendance  at  such  training  should  be 
mandatory  for  all  supervisors  who  request  user  access  to  Air 
Force-unique  system  resources." 

DFAS  Comments:  Non-concur. 

Rationale  for  Non- concurrence:  DFAS-TDMS/DE,  Information 
System  Security,  provides  annual  training  on  various  aspects  of 
information  security  for  the  Denver  users.  Each  location  has 
similar  requirements  for  security  training.  DFAS-DEM  7073-1, 
Chapter  3,  provides  instructions  on  the  DISA  Form  41;  a  revision 
to  the  chapter  was  disseminated  in  April  2001.  In  addition,  the 
Denver  ISSOs  have  a  dedicated  electronic  mailbox  if  anyone  has 
additional  questions.  A  training  course,  designed  for  the 
various  locations  serviced  by  the  Denver  ISSOs,  would  be 
cumbersome  and  redundant. 

Recommendation  3.c:  "The  Director,  Directorate  for  Military 
Pay  -  Air  Force,  Defense  Finance  and  Accounting  Service  Denver, 
direct  the  ISSOs  to  validate  and  document  all  user  access  to  the 
corresponding  DISA  Form  41,  'System  Authorization  Access 
Request . ' " 

DFAS  Comments:  Concur.  DISA  Forms  41  are  reviewed  when 
they  are  submitted.  In  addition,  other  routine  reports  document 
irregularities  or  non-use  and  appropriate  action  is  taken. 

ECD:  Completed  October  27,  2000. 
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Recommendation  3.d:  "The  Director,  Directorate  for  Military 
Pay  -  Air  Force,  Defense  Finance  and  Accounting  Service  Denver, 
direct  the  ISSOs  to  annually  require  that  supervisors  of  the 
system  users  provide  written  assurance  that  position 
descriptions  for  system  users  (including  contractors)  are 
assigned  the  proper  sensitivity  level  and  that  access  to 
automated  information  systems  have  background  investigations 
(and  where  appropriate,  interim  waivers  pending  completions  of 
such  investigations),  as  required  by  DoD  5200. 2-R." 

DFAS  Comments:  Non-concur. 

Rationale  for  Non-Concurrence;  The  position  descriptions 
for  the  ISSOs  assigned  to  DFAS-PMJ/DE  are  properly  coded  as 
critical  sensitive.  As  an  essential  part  of  the  hiring  process, 
the  immediate  supervisors  are  responsible  for  reviewing  position 
descriptions  to  determine  their  needs.  Human  Resources  is 
responsible  for  reviewing  the  position  descriptions  for  general 
compliance  items  and  reviewing  the  qualifications  of  the 
individuals  presented  to  management  for  consideration. 

Recommendation  4 :  The  Director,  Human  Resources  Defense 
Finance  and  Accounting  Service  Support  Services,  Denver, 
establish  procedures  to  periodically  alert  site  supervisors  to 
the  importance  of  and  requirement  that  appropriate  position 
descriptions  be  established  for  all  personnel  positions  before 
filling  such  vacancies  by  promotion  or  reassignment." 

DFAS  Comments;  Concur.  The  Denver  Human  Resources  Customer 
Support  Unit  sent  a  memo  to  all  directors  on  January  16,  2001 
advising  that  appropriate  position  descriptions  must  be 
established  for  all  positions  before  filling  vacancies.  In 
addition,  this  memo  also  advised  that  when  an  employee  is  placed 
in  another  position,  even  on  a  temporary  basis,  the  employee 
must  meet  the  position  sensitivity  and  any  physical  requirements 
of  the  new  position.  This  periodical  alert  will  be  done  on  an 
annual  basis  at  the  beginning  of  the  calendar  year. 

ECD:  Completed  January  16,  2001. 
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Questions  your  staff  may  have  concerning  these  matters  may 
be  directed  to  my  point  of  contact,  Ms.  Sue  Schallenberg, 
DFAS-PSM/DE,  (303)  676-7541. 


Director,  Military  and  Civilian  Pay  Services 

cc: 

DFAS-DDI/AR 
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